1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 09:08:49 -05:00
curl/lib
Daniel Gustafsson b4bb920405 vtls: fix potential ssl_buffer stack overflow
In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
2019-05-13 20:27:50 +02:00
..
vauth pingpong: disable more when no pingpong enabled 2019-05-13 08:17:10 +02:00
vtls vtls: fix potential ssl_buffer stack overflow 2019-05-13 20:27:50 +02:00
.gitattributes .gitattributes: force shell scripts to LF 2017-04-17 08:32:13 +02:00
.gitignore VC: remove the makefile.vc6 build infra 2017-01-23 14:27:32 +01:00
altsvc.c altsvc: Fix building with cookies disables 2019-04-20 22:46:21 +02:00
altsvc.h alt-svc: the libcurl bits 2019-03-03 11:17:52 +01:00
amigaos.c configure: add --with-amissl 2019-03-15 10:22:42 +01:00
amigaos.h configure: add --with-amissl 2019-03-15 10:22:42 +01:00
arpa_telnet.h travis: add build for "configure --disable-verbose" 2018-10-18 14:51:49 +02:00
asyn-ares.c build: fix "clarify calculation precedence" warnings 2019-05-12 09:31:09 +02:00
asyn-thread.c threaded-resolver: shutdown the resolver thread without error message 2019-03-01 09:31:34 +01:00
asyn.h curl_multi_remove_handle() don't block terminating c-ares requests 2019-01-07 10:05:20 +01:00
base64.c base64: build conditionally if there are users 2019-05-13 08:17:09 +02:00
checksrc.pl checksrc: add COPYRIGHTYEAR check 2018-12-03 23:13:40 +01:00
CMakeLists.txt CMake: Improve config installation 2018-10-01 16:16:29 -04:00
config-amigaos.h config-amigaos.h: (embarrassed) made the line shorter 2016-12-18 23:46:17 +01:00
config-dos.h whitespace fixes 2018-09-23 22:24:02 +00:00
config-mac.h
config-os400.h os400: Disable Alt-Svc by default since it's experimental 2019-03-24 16:43:43 -04:00
config-riscos.h
config-symbian.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
config-tpf.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
config-vxworks.h configure: remove the unused fdopen macro 2019-02-22 22:38:33 +01:00
config-win32.h config_win32: enable LDAPS 2018-10-19 09:23:14 +02:00
config-win32ce.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
conncache.c CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse 2019-04-21 23:06:23 +02:00
conncache.h pipelining: removed 2019-04-06 22:49:50 +02:00
connect.c doh: disable DOH for the cases it doesn't work 2019-05-11 11:38:58 +02:00
connect.h cleanup: make local functions static 2019-02-10 18:38:57 +01:00
content_encoding.c content_encoding: accept up to 4 unknown trailer bytes after raw deflate data 2018-07-12 22:46:15 +02:00
content_encoding.h HTTP: support multiple Content-Encodings 2017-11-05 15:09:48 +01:00
cookie.c cookie: Guard against possible NULL ptr deref 2019-05-01 13:14:15 +02:00
cookie.h altsvc: Fix building with cookies disables 2019-04-20 22:46:21 +02:00
curl_addrinfo.c memdebug: log pointer before freeing its data 2019-03-12 21:45:03 +01:00
curl_addrinfo.h memdebug: make debug-specific functions use curl_dbg_ prefix 2019-03-08 23:21:21 +01:00
curl_base64.h
curl_config.h.cmake cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP 2019-04-27 11:51:23 +02:00
curl_ctype.c URL: fix ASCII dependency in strcpy_url and strlen_url 2018-05-03 15:19:20 +02:00
curl_ctype.h URL: fix ASCII dependency in strcpy_url and strlen_url 2018-05-03 15:19:20 +02:00
curl_des.c use *.sourceforge.io and misc URL updates 2017-02-06 19:21:05 +00:00
curl_des.h
curl_endian.c cleanup: make local functions static 2019-02-10 18:38:57 +01:00
curl_endian.h curl_endian: remove unused functions 2017-06-02 13:30:41 +02:00
curl_fnmatch.c fnmatch: disable if FTP is disabled 2019-02-12 07:50:39 +01:00
curl_fnmatch.h
curl_get_line.c altsvc: Fix building with cookies disables 2019-04-20 22:46:21 +02:00
curl_get_line.h altsvc: Fix building with cookies disables 2019-04-20 22:46:21 +02:00
curl_gethostname.c
curl_gethostname.h
curl_gssapi.c snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
curl_gssapi.h gssapi: fix deprecated header warnings 2019-02-14 08:38:43 +01:00
curl_hmac.h
curl_ldap.h whitespace fixes 2018-09-23 22:24:02 +00:00
curl_md4.h ntlm: Missed pre-processor || (or) during rebase for cd15acd0 2019-04-23 20:26:02 +01:00
curl_md5.h md5: Update the function signature following d84da52d 2019-04-16 00:08:42 +01:00
curl_memory.h spelling fixes 2017-03-26 23:56:23 +02:00
curl_memrchr.c Curl_memchr: zero length input can't match 2018-04-24 08:03:23 +02:00
curl_memrchr.h
curl_multibyte.c curl_multibyte: fix a malloc overcalculation 2018-11-06 03:11:05 -05:00
curl_multibyte.h
curl_ntlm_core.c ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 2019-04-23 20:00:33 +01:00
curl_ntlm_core.h ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 2019-04-23 20:00:33 +01:00
curl_ntlm_wb.c auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
curl_ntlm_wb.h auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
curl_path.c ssh: define USE_SSH if SSH is enabled (any backend) 2019-05-06 10:14:17 +02:00
curl_path.h headers: end all headers with guard comment 2018-10-23 10:02:24 +02:00
curl_printf.h snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
curl_range.c Curl_range: fix FTP-only and FILE-only builds 2018-03-11 20:33:04 +01:00
curl_range.h Curl_range: commonize FTP and FILE range handling 2018-01-30 17:23:26 +01:00
curl_rtmp.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
curl_rtmp.h
curl_sasl.c sasl: only enable if there's a protocol enabled using it 2019-05-13 08:17:10 +02:00
curl_sasl.h
curl_sec.h
curl_setup_once.h whitespace fixes 2018-09-23 22:24:02 +00:00
curl_setup.h ssh: define USE_SSH if SSH is enabled (any backend) 2019-05-06 10:14:17 +02:00
curl_sha256.h auth: add support for RFC7616 - HTTP Digest access authentication 2017-10-28 16:32:43 +02:00
curl_sspi.c comment: Fix multiple typos in function parameters 2018-10-03 10:27:27 +02:00
curl_sspi.h
curl_threads.c curl_threads: fix classic MinGW compile break 2018-09-27 09:13:20 +02:00
curl_threads.h Windows: fixes for MinGW targeting Windows Vista 2018-10-09 08:33:45 +02:00
curlx.h snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
dict.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
dict.h
doh.c doh: CURL_DISABLE_DOH 2019-05-13 08:17:09 +02:00
doh.h doh: CURL_DISABLE_DOH 2019-05-13 08:17:09 +02:00
dotdot.c Curl_dedotdotify(): always nul terminate returned string. 2018-09-24 07:48:41 +02:00
dotdot.h headers: end all headers with guard comment 2018-10-23 10:02:24 +02:00
easy.c auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
easyif.h whitespace fixes 2018-09-23 22:24:02 +00:00
escape.c snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
escape.h whitespace fixes 2018-09-23 22:24:02 +00:00
file.c file: fix "Checking if unsigned variable 'readcount' is less than zero." 2019-03-12 21:46:11 +01:00
file.h whitespace fixes 2018-09-23 22:24:02 +00:00
fileinfo.c wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
fileinfo.h ftplistparser: keep state between invokes 2018-04-24 14:23:20 +02:00
firefox-db2pem.sh whitespace fixes 2018-09-23 22:24:02 +00:00
formdata.c mime: acknowledge CURL_DISABLE_MIME 2019-05-13 08:17:09 +02:00
formdata.h mime: acknowledge CURL_DISABLE_MIME 2019-05-13 08:17:09 +02:00
ftp.c doh: disable DOH for the cases it doesn't work 2019-05-11 11:38:58 +02:00
ftp.h urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
ftplistparser.c ftplistparser: fix LGTM alert "Empty block without comment" 2019-04-05 12:56:18 +02:00
ftplistparser.h
getenv.c
getinfo.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
getinfo.h
gopher.c gopher: remove check for path == NULL 2019-03-05 08:01:50 +01:00
gopher.h
hash.c cppcheck: fix warnings 2018-06-11 11:14:48 +02:00
hash.h llist: no longer uses malloc 2017-04-22 11:25:27 +02:00
hmac.c checksrc: make sure sizeof() is used *with* parentheses 2018-05-21 23:21:47 +02:00
hostasyn.c dns: release sharelock as soon as possible 2019-02-11 13:34:11 +01:00
hostcheck.c axtls: removed 2018-11-01 10:29:53 +01:00
hostcheck.h whitespace fixes 2018-09-23 22:24:02 +00:00
hostip4.c snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
hostip6.c strerror: make the strerror function use local buffers 2019-02-26 10:20:21 +01:00
hostip.c doh: disable DOH for the cases it doesn't work 2019-05-11 11:38:58 +02:00
hostip.h doh: disable DOH for the cases it doesn't work 2019-05-11 11:38:58 +02:00
hostsyn.c resolvers: only include anything if needed 2017-10-27 13:20:13 +02:00
http2.c pipelining: removed 2019-04-06 22:49:50 +02:00
http2.h cleanup: make local functions static 2019-02-10 18:38:57 +01:00
http_chunks.c ctype: restore character classification for non-ASCII platforms 2018-04-24 14:36:06 +02:00
http_chunks.h whitespace fixes 2018-09-23 22:24:02 +00:00
http_digest.c auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
http_digest.h auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
http_negotiate.c auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
http_negotiate.h auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
http_ntlm.c auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
http_ntlm.h auth: Rename the various authentication clean up functions 2019-05-12 18:37:00 +01:00
http_proxy.c urldata: rename easy_conn to just conn 2019-01-11 15:35:13 +01:00
http_proxy.h http_proxy: fix build with http and proxy 2017-06-18 15:18:15 +02:00
http.c proxy: acknowledge DISABLE_PROXY more 2019-05-13 08:17:10 +02:00
http.h urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
idn_win32.c
if2ip.c CURLOPT_ADDRESS_SCOPE: fix range check and more 2019-04-13 11:18:55 +02:00
if2ip.h CURLOPT_ADDRESS_SCOPE: fix range check and more 2019-04-13 11:18:55 +02:00
imap.c emailL Added reference to RFC8314 for implicit TLS 2019-04-11 01:19:15 +01:00
imap.h imap: change from "FETCH" to "UID FETCH" 2018-09-06 10:57:48 +02:00
inet_ntop.c snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
inet_ntop.h whitespace fixes 2018-09-23 22:24:02 +00:00
inet_pton.c curl_setup_once: Remove ERRNO/SET_ERRNO macros 2017-07-10 02:09:27 -04:00
inet_pton.h whitespace fixes 2018-09-23 22:24:02 +00:00
krb5.c sendf: use failf() rather than Curl_failf() 2018-09-13 10:48:21 +02:00
ldap.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
libcurl.plist
libcurl.rc (lib)curl.rc: fixup for minor bugs 2018-12-10 00:10:04 +01:00
libcurl.vers.in
llist.c Curl_llist_remove: fix potential NULL pointer deref 2017-11-21 09:02:40 +01:00
llist.h whitespace fixes 2018-09-23 22:24:02 +00:00
Makefile.am makefile: make checksrc and hugefile commands "silent" 2019-03-14 20:11:24 +01:00
makefile.amiga whitespace fixes 2018-09-23 22:24:02 +00:00
makefile.dj whitespace fixes 2018-09-23 22:24:02 +00:00
Makefile.inc altsvc: Fix building with cookies disables 2019-04-20 22:46:21 +02:00
Makefile.m32 whitespace fixes 2018-09-23 22:24:02 +00:00
Makefile.netware openssl: Remove SSLEAY leftovers 2018-11-17 21:36:10 +01:00
Makefile.vxworks
Makefile.Watcom openssl: Remove SSLEAY leftovers 2018-11-17 21:36:10 +01:00
md4.c ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 2019-04-23 20:00:33 +01:00
md5.c md5: Forgot to update the code alignment in d84da52d 2019-04-15 22:40:43 +01:00
memdebug.c memdebug: fix variable name 2019-04-22 03:10:05 -04:00
memdebug.h memdebug: make debug-specific functions use curl_dbg_ prefix 2019-03-08 23:21:21 +01:00
mime.c mime: acknowledge CURL_DISABLE_MIME 2019-05-13 08:17:09 +02:00
mime.h mime: acknowledge CURL_DISABLE_MIME 2019-05-13 08:17:09 +02:00
mk-ca-bundle.pl mk-ca-bundle.pl: make -u delete certdata.txt if found not changed 2018-06-14 00:02:20 +02:00
mk-ca-bundle.vbs spelling fixes 2018-02-23 23:29:01 +00:00
mprintf.c mprintf: avoid unsigned integer overflow warning 2018-11-02 11:07:04 +01:00
multi.c wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
multihandle.h pipelining: removed 2019-04-06 22:49:50 +02:00
multiif.h multiif.h: remove unused protos 2019-05-02 09:56:19 +02:00
netrc.c netrc: don't ignore the login name specified with "--user" 2018-11-05 20:34:01 +01:00
netrc.h netrc: don't ignore the login name specified with "--user" 2018-11-05 20:34:01 +01:00
non-ascii.c non-ascii.c: fix typos in comments 2019-02-12 10:24:29 +01:00
non-ascii.h mime: new MIME API. 2017-09-02 17:47:10 +01:00
nonblock.c nonblock: fix unused parameter warning 2018-10-14 21:07:45 +02:00
nonblock.h whitespace fixes 2018-09-23 22:24:02 +00:00
nwlib.c memory: ensure to check allocation results 2018-10-03 23:45:38 +02:00
nwos.c
openldap.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
parsedate.c parsedate: CURL_DISABLE_PARSEDATE 2019-05-13 08:17:10 +02:00
parsedate.h whitespace fixes 2018-09-23 22:24:02 +00:00
pingpong.c pingpong: ignore regular timeout in disconnect phase 2018-12-17 12:33:00 +01:00
pingpong.h pingpong: ignore regular timeout in disconnect phase 2018-12-17 12:33:00 +01:00
pop3.c emailL Added reference to RFC8314 for implicit TLS 2019-04-11 01:19:15 +01:00
pop3.h
progress.c build: fix "clarify calculation precedence" warnings 2019-05-12 09:31:09 +02:00
progress.h whitespace fixes 2018-09-23 22:24:02 +00:00
psl.c psl: use latest psl and refresh it periodically 2018-05-28 20:37:14 +02:00
psl.h psl: use latest psl and refresh it periodically 2018-05-28 20:37:14 +02:00
rand.c rand: add comment to skip a clang-tidy false positive 2018-10-27 15:59:44 +02:00
rand.h rand: Fix a mismatch between comments in source and header. 2019-02-18 23:13:30 +01:00
rtsp.c pipelining: removed 2019-04-06 22:49:50 +02:00
rtsp.h whitespace fixes 2018-09-23 22:24:02 +00:00
security.c source: fix two 'nread' may be used uninitialized warnings 2019-03-05 13:03:43 +01:00
select.c cppcheck: fix warnings 2018-06-11 11:14:48 +02:00
select.h whitespace fixes 2018-09-23 22:24:02 +00:00
sendf.c WRITEFUNCTION: add missing set_in_callback around callback 2019-05-05 11:09:30 +02:00
sendf.h travis: add build for "configure --disable-verbose" 2018-10-18 14:51:49 +02:00
setopt.c proxy: acknowledge DISABLE_PROXY more 2019-05-13 08:17:10 +02:00
setopt.h setopt: reintroduce non-static Curl_vsetopt() for OS400 support 2018-01-13 01:28:19 +01:00
setup-os400.h
setup-vms.h
sha256.c http: fix for tiny "HTTP/0.9" response 2018-08-13 23:16:01 +02:00
share.c psl: use latest psl and refresh it periodically 2018-05-28 20:37:14 +02:00
share.h psl: use latest psl and refresh it periodically 2018-05-28 20:37:14 +02:00
sigpipe.h sigpipe: if mbedTLS is used, ignore SIGPIPE 2019-01-28 12:03:33 +01:00
slist.c whitespace fixes 2018-09-23 22:24:02 +00:00
slist.h whitespace fixes 2018-09-23 22:24:02 +00:00
smb.c smb: fix incorrect path in request if connection reused 2018-12-19 09:52:36 +01:00
smb.h smb: fix memory leak on early failure 2018-07-30 17:59:36 +02:00
smtp.c emailL Added reference to RFC8314 for implicit TLS 2019-04-11 01:19:15 +01:00
smtp.h
sockaddr.h whitespace fixes 2018-09-23 22:24:02 +00:00
socks_gssapi.c snprintf: renamed and we now only use msnprintf() 2018-11-23 08:26:51 +01:00
socks_sspi.c strerror: make the strerror function use local buffers 2019-02-26 10:20:21 +01:00
socks.c doh: disable DOH for the cases it doesn't work 2019-05-11 11:38:58 +02:00
socks.h whitespace fixes 2018-09-23 22:24:02 +00:00
speedcheck.c timediff: return timediff_t from the time diff functions 2017-10-25 09:54:37 +02:00
speedcheck.h timeval: struct curltime is a struct timeval replacement 2017-07-28 15:51:25 +02:00
splay.c whitespace fixes 2018-09-23 22:24:02 +00:00
splay.h code style: remove wrong uses of multiple spaces 2017-09-12 13:54:54 +02:00
ssh-libssh.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
ssh.c ssh: loop the state machine if not done and not blocking 2019-03-05 07:57:11 +01:00
ssh.h all: s/int/size_t cleanup 2018-09-01 10:40:42 +02:00
strcase.c strcase: corrected comment header for Curl_strcasecompare() 2017-08-31 11:37:36 +02:00
strcase.h Remove unused definitions 2018-08-21 18:53:43 +02:00
strdup.c Curl_saferealloc: Fixed typo in docblock 2018-09-21 14:24:55 +02:00
strdup.h
strerror.c strerror: make the strerror function use local buffers 2019-02-26 10:20:21 +01:00
strerror.h strerror: make the strerror function use local buffers 2019-02-26 10:20:21 +01:00
strtok.c
strtok.h
strtoofft.c lib: silence null-dereference warnings 2018-04-09 15:54:52 +02:00
strtoofft.h progress: calculate transfer speed on milliseconds if possible 2018-01-08 23:45:09 +13:00
system_win32.c system_win32: move win32_init here from easy.c 2019-03-02 01:49:48 -05:00
system_win32.h system_win32: move win32_init here from easy.c 2019-03-02 01:49:48 -05:00
telnet.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
telnet.h whitespace fixes 2018-09-23 22:24:02 +00:00
tftp.c urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
tftp.h whitespace fixes 2018-09-23 22:24:02 +00:00
timeval.c build: fix Codacy/CppCheck warnings 2019-04-11 21:08:44 +02:00
timeval.h printf: introduce CURL_FORMAT_TIMEDIFF_T 2019-01-04 23:51:13 +01:00
transfer.c wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
transfer.h urldata: simplify bytecounters 2019-03-01 17:30:34 +01:00
url.c proxy: acknowledge DISABLE_PROXY more 2019-05-13 08:17:10 +02:00
url.h pipelining: removed 2019-04-06 22:49:50 +02:00
urlapi-int.h tests: add urlapi unittest 2018-12-11 15:02:24 +01:00
urlapi.c urlapi: add CURLUPART_ZONEID to set and get 2019-05-05 15:52:46 +02:00
urldata.h wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
version.c ssh: define USE_SSH if SSH is enabled (any backend) 2019-05-06 10:14:17 +02:00
warnless.c cleanup: make local functions static 2019-02-10 18:38:57 +01:00
warnless.h cleanup: make local functions static 2019-02-10 18:38:57 +01:00
wildcard.c wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
wildcard.h wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
x509asn1.c x509asn1: cleanup and unify code layout 2019-02-19 16:03:19 +01:00
x509asn1.h